Campcodes Online Hotel Reservation System SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in Campcodes Online Hotel Reservation System version 1.0. The issue resides in the admin index.php file within the Login component. The vulnerability allows remote attackers to manipulate the username and password parameters, injecting malicious SQL that could be executed by the database. This exploitation bypasses input validation and sanitization, enabling unauthorized database access and operations.

Impact

Exploitation of this vulnerability allows for unauthorized access to the database, potential leakage or manipulation of sensitive data, and could disrupt service availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to /admin/index.php with crafted SQL injection payloads in the username and password fields. This can be automated using tools like sqlmap.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.